Starting a Career in Information Security

Security Career path

With the demand for cyber security experts so high (over 200,000 open positions in the U.S.), you might ask, “How do you get into the field?”  This question was asked of the security community.  Here is a summary of their advice and a list of resources they provided, which will help you build your security skills and your network within the security community.  Most importantly, hopefully, it will help you land that first step into launching your cyber security career.

Advice from the Security community:

  1. Learn the basics:
    • Learn Linux:  Most security takes place at the scripting level, therefore, you need to become extremely familiar with the Linux operating environment.
      • Try to understand how any why the tools in your toolbox work.
      • Run through as many hands-on scenarios as are practical with whatever resources you have access to.
      • Learn with real world scenarios, as theory and practice are not always congruent.
    • Scripting Skills:  Build on basic coding skills (Python, ruby etc) to build tools etc.  This is a big value add for any company’s security group.
    • Learn penetration testing:  Begin to hone your skills and gain knowledge on security by learning the basics at Pentester Academy.
    • Focus on one area first:  Stick with the field you are trying to get a job in and don’t branch to out too much. It is extremely valuable to become knowledgeable about one particular technology “bucket” which security sits on top of such as:
      • Systems
      • Networking
      • Database
      • Application development
    • Build your own lab:  
      • Build/upgrade a desktop PC to at least 16GB RAM, run your choice of Linux distro
      • Build a virtual pentesting lab including Kali and Ubuntu server and (licensing permitting) Windows server & Desktop OSes as well.
      • Then along with Cybrary and Pentester Academy courses you can practice and get to know the tools.
      • Develop Python expertise so you can write your own pentesting tools. That will also deepen your understanding.
      • Cybrary video on how to build your own lab:  https://www.cybrary.it/2016/02/s3ss10n-wednesday-build-your-own-pen-testing-lab/
  2. Early Career Paths – Anyone just starting a career in security could take one of these routes:
    • Become a QSA or work for a company performing gap analysis. Although this is more compliance and assessments, it will give you exposure to a wide range of environments and implementations.
    • Work as a system administrator or network engineer.  Practical experience in operations is always useful for a career in information security.
    • Learn penetration testing as many companies accept newbies in this field.
    • Start out as an analyst in a SOC or Incident Response area.
    • Focus on AppDev and WebApps as this is really popular right now because of the amount of exposure at that layer.
    • If your degree is from a US University then look there.  Many Universities themselves are looking for Cyber Security or Information Security staff, and they typically have differing standards than the business or general government field.
    • You may also want to explore working directly with the US government (FBI, CIA, NSA), specifically if you have language skills other than English.
  3. Networking:  Never underestimate the power of networking. If there are local ISC2, ISSA, or ISACA chapters, attend a meeting and network.
  4. Certifications:  
    • You may want to start off getting some basic certifications which don’t require experience such as:
    • Once you are experienced, you could further your career by getting these certifications:
      • CISA – Certified Information Systems Auditor
      • CISM – Certified Information Security Manager – Requires more proof of experience than CISSP
      • CEH – Certified Ethical Hacker
      • CISSP – Broad, shallow certification, but best recognized.
  5. Training:  
    • Take SANS courses. They are definitely not cheap, and that may be a challenge, but unlike almost any other courses, SANS training is practical and builds strong, real-world skills.
    • Join on-line security communities for a ton of free and paid training opportunities.  Here are just a few:
  6. Experience through Charities:  Find Non-Profit organizations who need security help but can not afford traditional consultants.  This shows your ‘giving’ spirit plus hones your skills.  Check out Hackers for Charities http://www.ihackcharities.org/ They pair IT people with charities who need work done. The charity gets their project completed, and you can get a nice recommendation for your resume.

 

While this is not a complete list of resources, this is direct advice from those who have had to build their security careers the hard way.  Hopefully, this summary gives you a roadmap to get your career kick started in the right direction.

 

3 Comments

  1. You may want to start off getting some basic certifications which don’t require experience such as:
    Network+
    CompTIA Sec+
    OSCP – Offensive Security Certified Professional
    Once you are experienced, you could further your career by getting these certifications:
    CISA – Certified Information Systems Auditor
    CISM – Certified Information Security Manager – Requires more proof of experience than CISSP
    CEH – Certified Ethical Hacker
    CISSP – Broad, shallow certification, but best recognized.

    I would argue that the OSCP and CEH positions should be switched, due to depth, difficulty, real world application and recognition.

Leave a Reply

Your email address will not be published.

*